From 585770faa3c54ccae3808f111340816d6d7c02ca Mon Sep 17 00:00:00 2001
From: yugoslavskiy <daniil@yugoslavskiy.com>
Date: Tue, 20 Oct 2020 17:31:00 +0200
Subject: [PATCH] update syntax a bit to re-run the test

---
 rules/linux/macos_startup_items.yml | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/rules/linux/macos_startup_items.yml b/rules/linux/macos_startup_items.yml
index f930be4a..2153bd39 100644
--- a/rules/linux/macos_startup_items.yml
+++ b/rules/linux/macos_startup_items.yml
@@ -11,11 +11,9 @@ logsource:
   product: macos
 detection:
   selection_1:
-    TargetFilename|contains:
-      - '/Library/StartupItems/'
+    TargetFilename|contains: '/Library/StartupItems/'
   selection_2:
-    TargetFilename|endswith:
-      - '.plist'
+    TargetFilename|endswith: '.plist'
   condition: selection_1 and selection_2
 falsepositives:
     - Legitimate administration activities
@@ -24,4 +22,3 @@ tags:
     - attack.persistence
     - attack.privilege_escalation
     - attack.t1037.005
-